Recent disparaging comments about private sector engagement in U.S. national cyber defense misrepresent collaboration and hard-won progress with the U.S. government and public sector. In an interview that aired on National Public Radio, a former Bush administration official applauded Estonia's emerging citizen-based cyber army while casting aspersions at the contributions of our own nation's corporate security experts.
Not only are those assertions untrue, it's a ridiculous comparison. The U.S. is certainly not Estonia and the issues are more complex with more risk to us from criminals, terrorists and nation states. With the advent of cloud computing and new degrees of openness on the Internet, our problems could become even more complex. The characterization of private enterprise as 'standoffish' by a former government insider, whose focus was not cyber, highlights the heart of the problem. The fact is, until recently we've not had sufficient expertise in the government to secure our critical infrastructure from cyber attacks.
The U.S. has a long history of fits and starts in its public/private partnership going back to the 1990s when the NSA sought to hold encryption keys and limit the strength of encryption used in the US commercial marketplace. Regulation prevented the sale of encryption technology abroad enabling foreign companies to develop their own technology and industry. President Clinton relaxed encryption controls in 1999 and since that time, the NSA has been very cooperative with the private sector and has shown great leadership on cyber security.
In late 2001, the Council of Europe and the U.S. agreed to a cybercrime convention that would enable cross-country investigation and prosecution of cybercriminals. Despite industry lobbying efforts, it took the U.S. Senate over five years to ratify that treaty -- hardly internet speed.
In February 2003, a national strategy to secure the critical infrastructure of the U.S. was released. In December of that year, then DHS Secretary Tom Ridge convened a diverse group of private sector companies to develop a framework for a more effective public/private partnership to execute the strategy. In April 2004, after several months of work, the private sector released multiple recommendations from several task groups. In the ensuing years few, if any, of those recommendations were acted on by the federal government.
When Michael Chertoff took over DHS in 2005, he elevated the position of cyber security from a director to an assistant secretary, an action widely supported by industry. However, three years later there were still limited operational capabilities and staff.
Recently, again despite strong industry support, legislation to update the Federal Information Security and Management Act has still not passed, nor has Congress passed legislation to establish federal standards for data breach notification and for protecting sensitive information, while almost all states have enacted such laws.
Nevertheless, as we enter 2011, we're starting to make significant progress. Late in the Bush Administration, and continued in the Obama Administration, significant hiring of competent people commenced in DHS and other agencies, bolstering cyber security operational capabilities in civilian government. In addition, the positions of Federal CIO and Cyber Security Coordinator were established with Vivek Kundra and Howard Schmidt, respectively. Kundra and Schmidt teamed up last year to issue important White House guidance to federal agencies for implementing more effective risk management practices using continuous monitoring -- another important industry recommendation.
In the meantime, there's work done every day by private sector companies who run our Critical Infrastructure. Industries such as finance, retail and healthcare have made enormous strides in protecting financial transactions and personal information. The security and telecommunications industries consistently share information with the government about known threats, viruses and sources of attacks. Further, the security industry is exploiting innovative technologies like virtualization, the enabling technology of the cloud, to actually reduce complexity and create better security than exists today.
Next month the information security industry will converge for the 20th annual RSA Conference, the largest security gathering in the world. Each year, the conference hosts leaders from government who are sincerely interested in improving cyber security and advancing collaboration with the private sector. Federal government speakers in the last few years have included the NSA Director, General Keith Alexander; FBI Director Robert Mueller; and current DHS Secretary Janet Napolitano. Next month, the Conference will welcome current Department of Defense Deputy Secretary William Lynn, and former President Clinton will present the closing keynote.
So let us not be misinformed about our nation's ability and desire to harness the knowledge and experience of the private sector to defend our critical infrastructure. We stand ready to help.
Art Coviello is the President of RSA, the security division of EMC, the world's leading provider of information infrastructure.
How will Donald Trump’s first 100 days impact YOU? Subscribe, choose the community that you most identify with or want to learn more about and we’ll send you the news that matters most once a week throughout Trump’s first 100 days in office. Learn more